-
v0.4.1
StableSome checks failedCI / cargo fmt (pull_request) Failing after 15sCI / cargo clippy (pull_request) Has been skippedCI / cargo test (pull_request) Has been skippedCI / cargo fmt (push) Failing after 16sCI / cargo clippy (push) Has been skippedCI / cargo test (push) Has been skippedRelease Build / Generate Version (push) Successful in 15sRelease Build / Build linux-x86_64 (push) Successful in 3m54sRelease Build / Build linux-aarch64 (push) Successful in 4m18sRelease Build / Build windows-x86_64 (push) Successful in 4m39sRelease Build / Create Forgejo Release (push) Failing after 1m1sbuildagent released this
2026-06-04 15:41:06 +02:00 | 18 commits to master since this releaseSecurity hardening
Completes the parser recursion-depth hardening started in v0.4.0.
v0.4.0 capped every plugin's
walkrecursion, but the self-recursive type-expression helpers in the Python, C#, and TypeScript plugins were still unbounded. A crafted file with a deeply nested type expression (List[List[...]],List<List<...>>,Array<Array<...>>) is reached via a shallow walk but recurses thousands of levels insideemit_type_ref/emit_receiver_type_refs, overflowing the daemon's worker stack — whichcatch_unwindcannot intercept.Each helper now routes through a depth-aware core guarded by
MAX_PARSE_DEPTH. Extraction behavior is unchanged; a deep-nested-type regression test per plugin confirms the guard (verified to SIGABRT with the cap disabled). PHP's type helper is structurally flat and needs no guard.With this, all six language parsers are fully guarded against the deeply-nested-input stack-overflow DoS — closing the last residual from the v0.4.0 ultradeep review.
Changes:
v0.4.0...v0.4.1Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
Source code (ZIP)